我的服务器受到了攻击，怎么办？

macson

我在观察系统安全日志的时候，一直发现有人在不断的连接我的服务器，
尝试用不同的密码来登录服务器，请问我该如何应付这种情况呢？

May 30 08:38:57 myserver sshd[2751]: Did not receive identification string from 218.241.83.79
May 30 08:42:29 myserver sshd[2772]: Invalid user staff from 218.241.83.79
May 30 00:42:29 myserver sshd[2775]: input_userauth_request: invalid user staff
May 30 08:42:29 myserver sshd[2772]: pam_unix(sshd:auth): check pass; user unknown
May 30 08:42:29 myserver sshd[2772]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.241.83.79
May 30 08:42:29 myserver sshd[2772]: pam_succeed_if(sshd:auth): error retrieving information about user staff
May 30 08:42:31 myserver sshd[2772]: Failed password for invalid user staff from 218.241.83.79 port 46406 ssh2
May 30 00:42:31 myserver sshd[2775]: Failed password for invalid user staff from 218.241.83.79 port 46406 ssh2
May 30 00:42:31 myserver sshd[2775]: Received disconnect from 218.241.83.79: 11: Bye Bye
May 30 08:42:36 myserver sshd[2777]: Invalid user sales from 218.241.83.79
May 30 00:42:36 myserver sshd[2780]: input_userauth_request: invalid user sales
May 30 08:42:36 myserver sshd[2777]: pam_unix(sshd:auth): check pass; user unknown
May 30 08:42:36 myserver sshd[2777]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.241.83.79
May 30 08:42:36 myserver sshd[2777]: pam_succeed_if(sshd:auth): error retrieving information about user sales
May 30 08:42:38 myserver sshd[2777]: Failed password for invalid user sales from 218.241.83.79 port 47507 ssh2
May 30 00:42:38 myserver sshd[2780]: Failed password for invalid user sales from 218.241.83.79 port 47507 ssh2
May 30 00:42:38 myserver sshd[2780]: Received disconnect from 218.241.83.79: 11: Bye Bye
May 30 08:42:44 myserver sshd[2781]: Invalid user recruit from 218.241.83.79
May 30 00:42:54 myserver sshd[2784]: input_userauth_request: invalid user recruit
May 30 08:42:54 myserver sshd[2781]: pam_unix(sshd:auth): check pass; user unknown
May 30 08:42:54 myserver sshd[2781]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.241.83.79
May 30 08:42:54 myserver sshd[2781]: pam_succeed_if(sshd:auth): error retrieving information about user recruit
May 30 08:42:56 myserver sshd[2781]: Failed password for invalid user recruit from 218.241.83.79 port 48083 ssh2
May 30 00:42:56 myserver sshd[2784]: Failed password for invalid user recruit from 218.241.83.79 port 48083 ssh2
May 30 00:42:56 myserver sshd[2784]: Connection closed by 218.241.83.79
May 30 09:49:25 myserver su: pam_unix(su:session): session closed for user root
May 30 11:29:50 myserver sshd[7898]: Did not receive identification string from 221.11.140.231
May 30 11:55:26 myserver sshd[9841]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.52.28.136  user=root
May 30 11:55:29 myserver sshd[9841]: Failed password for root from 59.52.28.136 port 33517 ssh2
May 30 03:55:29 myserver sshd[9844]: Failed password for root from 59.52.28.136 port 33517 ssh2
May 30 03:55:29 myserver sshd[9844]: Received disconnect from 59.52.28.136: 11: Bye Bye
May 30 11:55:35 myserver sshd[9860]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.52.28.136  user=root
May 30 11:55:36 myserver sshd[9860]: Failed password for root from 59.52.28.136 port 34053 ssh2
May 30 03:55:36 myserver sshd[9863]: Failed password for root from 59.52.28.136 port 34053 ssh2
May 30 03:55:36 myserver sshd[9863]: Received disconnect from 59.52.28.136: 11: Bye Bye
May 30 11:55:42 myserver sshd[9877]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.52.28.136  user=root
May 30 11:55:44 myserver sshd[9877]: Failed password for root from 59.52.28.136 port 34444 ssh2
May 30 03:55:44 myserver sshd[9880]: Failed password for root from 59.52.28.136 port 34444 ssh2
May 30 03:55:44 myserver sshd[9880]: Received disconnect from 59.52.28.136: 11: Bye Bye
May 30 11:55:50 myserver sshd[9903]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.52.28.136  user=root
May 30 11:55:52 myserver sshd[9903]: Failed password for root from 59.52.28.136 port 34849 ssh2
May 30 03:55:52 myserver sshd[9906]: Failed password for root from 59.52.28.136 port 34849 ssh2
May 30 03:55:52 myserver sshd[9906]: Received disconnect from 59.52.28.136: 11: Bye Bye
May 30 11:55:58 myserver sshd[9924]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.52.28.136  user=root
May 30 11:56:00 myserver sshd[9924]: Failed password for root from 59.52.28.136 port 35242 ssh2
May 30 03:56:00 myserver sshd[9927]: Failed password for root from 59.52.28.136 port 35242 ssh2
May 30 03:56:00 myserver sshd[9927]: Received disconnect from 59.52.28.136: 11: Bye Bye
May 30 11:56:05 myserver sshd[9946]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.52.28.136  user=root
May 30 11:56:08 myserver sshd[9946]: Failed password for root from 59.52.28.136 port 35587 ssh2
May 30 03:56:08 myserver sshd[9950]: Failed password for root from 59.52.28.136 port 35587 ssh2
May 30 03:56:08 myserver sshd[9950]: Received disconnect from 59.52.28.136: 11: Bye Bye
May 30 11:56:13 myserver sshd[9963]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.52.28.136  user=root
May 30 11:56:15 myserver sshd[9963]: Failed password for root from 59.52.28.136 port 36048 ssh2
May 30 03:56:15 myserver sshd[9966]: Failed password for root from 59.52.28.136 port 36048 ssh2
May 30 03:56:15 myserver sshd[9966]: Received disconnect from 59.52.28.136: 11: Bye Bye
May 30 11:56:21 myserver sshd[9984]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.52.28.136  user=root
May 30 11:56:23 myserver sshd[9984]: Failed password for root from 59.52.28.136 port 36494 ssh2
May 30 03:56:23 myserver sshd[9987]: Failed password for root from 59.52.28.136 port 36494 ssh2
May 30 03:56:23 myserver sshd[9987]: Received disconnect from 59.52.28.136: 11: Bye Bye
May 30 11:56:28 myserver sshd[10001]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.52.28.136  user=root
May 30 11:56:31 myserver sshd[10001]: Failed password for root from 59.52.28.136 port 36949 ssh2
May 30 03:56:31 myserver sshd[10004]: Failed password for root from 59.52.28.136 port 36949 ssh2
May 30 03:56:31 myserver sshd[10004]: Received disconnect from 59.52.28.136: 11: Bye Bye
May 30 11:56:45 myserver sshd[10017]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.52.28.136  user=root
May 30 11:56:47 myserver sshd[10017]: Failed password for root from 59.52.28.136 port 37420 ssh2
[/list:u]

gugong

这种攻击比较常见

将密码用大小写字母和数字混和，是比较安全的作法

Bluedata

取消密码验证，使用证书登陆。

macson

也就是说无法避免这种攻击咯？！
那么有没有什么办法可以将攻击者自动屏蔽呢？
因为小弟的服务器带宽毕竟有限，被他这么一折腾，别人都无法访问了，
好像经常造成服务器断歇性的停止服务，过10几秒又会好，挺烦人的

Bluedata

你的服务器提供什么服务？难道提供 ssh 登陆服务？
添加 iptables 规则，只允许信任的 IP 连接 22 端口。

macson

我在路由上就没有打开22端口哦

shepherb

用IPTABLES设置INPUT的规则
iptables -A INPUT -p tcp -s 你登陆服务器电脑的IP --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -d  你登陆服务器电脑的IP --sport 22  -m state --state ESTABLISHED -j ACCEPT
你试试1!

shepherb

前提是你设置好IPTABLES
而且IPTABLES 所有都是DROP
把能开的端口打开
不稳定的端口全部关掉!!!!!!!

jbin82

进去看看,里面的脚本可以帮你解决问题。
http://bbs.chinaunix.net/viewthread.php?tid=578382&highlight=platinum

gugong

PortSentry and Snort